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0 Method for the modular reduction of numbers. 

@ In cryptographic techniques which are based on the discrete logarithm problem, use is made of exponen- 
tiation modulo large number, tf. in this method, the exponentiation is first carried out completely and the modular 
reduction is only canied out thereafter, this requires very considerable computation time and a very large 
memory capacity. It is known that the exponentiation can be accelerated by iterativety mulfa'ptying and squaring, 
with a modular reduction after each step. The invention provides a method of also accelerating tiie modular 
reduction at the same time, as a result of which the exponentiation modulo large number can be further 
accelerated. For this purpose, the invention describes a protocol for a modular reduction of a 2n^igit numt>er x 
In a number system with base b to obtain an ivdigit remainder, in which use is made of a specific modulus p 
which satisfies p = b" - a, where 0 < a < b. The method according to the inverition does not reduce the security 
of the cryptographic system for which the modular exponentiation is carried out. 
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The invention relates to a n^od for the modular reduction of a not more than 2n-digtt number x to 
obtain a not more ttian n-digrt remainder in accordance with the fonrnula 

r 5 X (mod p), wtrere p Is the chosen modulus, for the purpose of cryptographic calculations which are 
based on the genera! discrete logarithm problem in a number system with base b. 
5 In cryptographic techniques, use may be made of exponentiation modulo large prime number. An 
example of this is a cryptographic technique which is based on tfie discrete logarithm problem which is 
described by w. DifRe and M.E Hellman in the paper entitled "New directions In Cryptography" in IEEE 
Trans, on Information Theory, vol. rr-22, pages 644-664, 1976. 

This paper describes a discrete expon^ation modulo prime number p for use in a public key 
10 distribution system. This so-called DH system makes use of pul>licly known messages in the foltowing way 
in order to construct a secret common key. Choose a prime number p for which it is true that 

p - 1 tes at least one large prime factor, and an integer z from the set {2,3 .p - 1}. These two numl)ers 

are made public. Every user now arbitrarily chooses a number x from the set {2,3, p - 2}, keeps it 

secret and cateulates tiie number y = (mod p). Two users a and b send tiieir numbers y, i.e. yg and yb. 
75 respectively, to each ottier. Witii the aid of his own value of x, Xa. and the yt received, user a can calculate 
a secret key ke in accordance with 
ka = yb'^sz^Cmod p). 

With the aid of his own value of x, Xb. and the ya received, user b can calculate a secret key 
inaccordance with: kb = ya^ ^ (mod p). It will be clear tiiat kg = kb = k and that the users have 
20 constructed a common secret key In this way. 

Because the taking of the discrete logarithm has hitherto been regarded as virtually impossible, it is 
also virtually impossible to calculate the integers Xa and Xb or the key k starting from the numbers ya and 
yb. Methods other than that of taking the discrete logarithm to calculate tiiese values have hitherto not been 
known. Exponentiation modub large prime number, the exponentiation being canied out first and the result 
^ tfiereby obtained tfien being reduced results quHe quickly in unacceptably long computation times, while 
tfie memory capacity required in that case becomes very large. 

In The Art of Computer Programming", Vol. 2: Seminumerical Algoritiims, 2nd edition, Addison 
Wesley. 1981, D.E. Knuth describes how an exponentiation can be imagined as built up of repeated 
multiplication and squaring. He also describes how modular exponentiation can be simplified by making use 
30 of modular reduction in every multiplication step and squaring step. Said modular reduction generally takes 
place by making use of a division algorithm. If the modulus p is tiie divisor and tiie numt^er to be reduced 
is X. the remainder obtained after division gives the desired results; on 

X = q.p + r, 

35 

where q is the quotient this being written in the present description as 
r s x(mod p). 

40 

If ttie opportunity is seen of accelerating the modular reduction, the exponentiation can also be 
accelerated and the object of the invention is tiierafore to provide a method for the rapid modular reduction 
of a large number from a numtter system with t>ase b by means of an iterative divisk>n algorithm. Such 
division algoritiims are known per se from, for example, the p)aper entitied "Fast algorithms for implement- 

45 ing RSA pubOc key cryptosystem" by S.B. Mohan and B.S. Adiga in Bectronics Letters, vol. 21. no. 17. 
August 1985, which descrit)es an iterative division algorithm for use in tiie RSA system, which algorithm has 
been developed exclusively for the binary system and for a composite modulus which is made up of the 
product of two large prime numbers and a number of smaller prime numbers. The paper entitled "A 
practical fast exponentiation algoritiim for public key" by H.R. Chivers. International Conference on Secure 

50 Communications Systems. London, 22-23 February 1984, furthenmore describes an accelerated division 
algorithm for use in encoding system of Diffie and Hellman. In this case, however, it is proposed to make 
use of remainder tables, and this is often undesirable in view of the memory space required for such tables. 
The object of ttie invention is, more particularly, to provide a method for fast modular reduction which is 
efficient to implement in software, preferably with a minimum of program lines, which is of great 

55 importance, in particular, if said program is present In the processor present on a so-called smart card. This 
object must at the same time be fulfilled without diminishing the safety of the cryptographic protocol, for the 
purpose of which the modular reduction is carried out. 

For a general description of tiie way in which a cryptographic system can be used in combination with 
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a smart card, reference Is made to the paper entitled "Ihe Smart Card: A high security tool in EDP" by 
R.C. Fenreira in Philips Telecommunication and Data Review, PTR, Volume 47, no. 3, Septemfc>er 1989, 
pages 1-19. However, said paper describes the use in cryptographic systems in which the discrete 
logarithm problem does not occur. 
5 In order to fulfil the objects described, the invention provides a method of the abovementioned type in 
which it holds true for the modulus p that p = b" - a, where 0 < a < b. More particularly, the invention is 
characterised in that the 2n-digit number x is always split into two n-digit numt»ers xh and xl in accordance 
with the formula 

to X = (Xh • b") + Xl. 

where 

n-1 n-1 

V S ^i+n**^^ and = 2 ^Cj^'b^ where 0 £ x^, < b; 

i«0 i=0 

20 in that the remainder r is determined by first calculating: 
rtemp = Xl + a'xn; 

in that It is then determined whether the following is fulfilled: 

25 

riemp < b": 

in that, if this is the case, it holds true that: 
30 r = rtemp 

in that if this is not the case, an integer c is calculated which is determined by the value of rtemi/b" rounded 
downwards to the nearest integer and riemp is calculated in accordance with: 

3S rtemp = Ttemp'C'b" 

and In that this step is repeated until the following is fulfilied: 
riemp < b". 

40 

whereafter it holds true that 
r ~ rtemp- 

45 The invention can be explained in greater detail in the following manner. 

Suppose tiiat x. tiie number to be reduced, and r, the remainder, are positive integers and that their 
representation in the system with base b is given by: 



50 2n-l 

= 2 x^-b^ and (r)^ = ^ ^i*^^ ° ^ ^ 

i=0 i=0 



55 

For the modulus p it holds true that 
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n-1 

(p)^ = 2» Pi*b^ » b" - a where 0 < a < b and n > 1. 

The modular reduction can now be carried out as follows: 
(r)b - (x)b (mod {p)b) = (x)b - ((k)b-(P)i>) = 

(X)b - (k)b'b" + (k)b*a. where {k)b is so chosen that this equation is fulfilled. 
TO If rt is assumed thai use is made of registers having a length of n digits, the number (x)b can be 
reproduced by two n-digit registers (XH)b and (xJb as: 

(X)b = (Mb I 1C>CL)b = (XH)b'b" + (xOb. 

15 with 



n-1 



From this it follows that if (xH)b = (k)b is chosen, the reduced (x)b can be obtained by adding the 
25 number a* (XH)b to (xt)b and by continuing to do this with the (XH>b produced after the addition until (x^Ob = 
0 and therefore (x)b < b". 

The flow diagram shown in tfie drawing reproduces the method according to the invention in more 
detail for a number in the system base b. 

If it is tnje for a number w in the system with base b that w = y*b + x. the functions low () and high ( 
30 ) are defined as: 

low(w) = X and high(w) = y. 

The length n = lt,{s) of a number (s)b in the system with base b follows from: 

35 

U(s) = max{i|(s)b ^ b'} + 1. 

The modular reduction {r)b s (x)b (modCb** - a)b) then proceeds in the way shown in the flow diagram. 

Block 1 shows that, at the beginning of the modular reduction of a number (x)b, the loop variable i and 
40 the variable CARRY are equal to 0 and the remainder values (r)b and (r')b are equal to (0^ n and a being 
predetermined constants which determine the modulus. F=or (x)b and for (r)b, the fonnulae already given 
above apply: 



n-1 
i=0 



45 2n-l n-1 

(x)j, = ^ x^-b^ and (r)j, = 2 ^i'^^' where 0 < x^, < b. 
i=0 i==0 

50 

In block 2, whether the length of (x)b. i.e. Lb(x), minus n is greater than i is determined. If that is the case, a 
temporary number TEMP is determined in block 3 in accordance with TEMP = X| + a'Xi*„ + CARRY, n 
then becoming equal to lowCTEMP) and the variable CARRY equal to highCTEMP). 
Then the loop variable i in block 4 is increased by 1 so that it becomes equaJ to i + 1, and block 2 is 
55 reverted to. When, at a certain instant, it is the case in block 2 that Lb(x) - n 5 i, the modular reduction is 
continued in block 5 by determining whether CARRY is greater than 0. and if this is not the case, the 
remainder (r)b is known in principle. If CARRY is in fact greater than 0. a detemnination is first made in block 
6 of whether i is equal to n. If this is the case, the loop variable i is again put equal to 0 in block 7 and the 
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variable CARRY is multiplied by the constant a, after which block 8 is proceeded to. If it Is found in block 6 
that I is not equal to n. block 8 is also proceeded to. In block 8. TEMP is put equal to 
TEMP = n + CARRY, n then becoming equal to lowfTEMP) and the variable CARRY becomes equal to 
highfTEMP). Then the loop variable i is increased by 1 in block 9 so that It becomes equal to i + 1. and the 
5 loop is run through again, starting at block 5 until it is finaily true that CARRY ^ 0. which in principle 
determines the remainder. Once the remainder (r)b has been detennined in block 5, there is the possibility 
that the remainder (r)b is nevertheless greater than the modulus p. the chance of this being a/b". 

For this reason an auxiliary remainder (r')b = (r)b + a is calculated in btock 10 and in block 11 a check 
is made on whether the length of (r')b, i.e. Mr"), is in fact greater than n and if this is not the case, the 
10 calculated remainder {r)t, is already the true remainder. However, if L|,(r*) is in fact greater than n, the true 
remainder (r)b is calculated in block 12 by taking the last n digits {r')i^ Block 13 indicates the end of the 
calculation of the remainder rb- As will be explained further below, the steps according to the blocks 10, 11 
and 12 are in many cases superfluous because if it is found in block 5 that the CARRY is not greater than 
0, an n-digit remainder has already been calculated, and this is in principle the object of the method 
;5 according to the invention. 

With the method according to the inv^tion as explained above, a modular reduction is possible with 
the aid of a limited number of multtpHcations if a > 1 and even no multiplication atallifa = 1.1fa = 1,the 
loop formed in the flow diagram formed by the blocks 2, 3 and 4 is executed not more than n times, without 
multiplications having to be canried out and block 7 is executed not more than once, also without 
20 multiplications being necessary. If a > 1 , the loop formed by the blocks 2. 3 and 4 in the flow diagram is 
executed not more than n times, not more than n multiplications having to be carried out in block 3 and 
bbck 7 is executed not more than twice, not more than 2 multiplications being necessary, so that if a > 1 . 
the maximum number of multiplications needed is n + 2. 

The fkw diagram described above provides an explanation of the method according to the invention for 
25 a calculation in software, the entire calculation of the n-digit remainder (r)b of the 2n-digit number (x)b in the 
system with fc»ase b being carried out digit by digit However, it will be immediately otrvious to those skilled 
in the art that the method according to the invention can also be implemented in an extremely efficient way 
in hardware, in which case multiplications by n-digit numtjers are carried out directly. The invention will be 
illustrated further with reference to two numerical examples in the dectmai system, use being made of such 
30 multiplications by n-digit numbers for the sake of simplicity. 

In the dedmal system, b = 10. Furthermore, the number 9991 is chosen for the modulus (p)io. so that 
n = 4 and a = b" - (p)io = 10* - 9991 = 0009. 

In the first example, the remainder of the number 99980001 is sought 

According to the first step of the algorithm it is calculated tiiatr 

35 

(XH)io*a + (xjio = 9998 x 0009 + 0001 = 00089983. 

The carry, the newly-fonmed (xh)io, is thus found to be equal to 0008 and (xJio = 9983, and because tiie 
carry is greater than zero, the following calculation is carried out 

40 

carry x a + (xJio = 0008 x 0009 + 9983 = 00010055. 

Again the canry, the newly-formed (xh)io is greater than zero so that a caJcuIation is again canried out 

45 canry x a + (xJio = 0001 x 0009 + 55 = 0064. 

The canry is now equal to zero and the remainder is ttterefore known in principle and is equal to tiie last 
(xjio calculated = 0064. As has already been noted above in the description of the flow diagram, there is a 
slight chance that the calculated remainder (r)io is greater than (p)io. However, because the invention is in 

50 principle aimed at the fast modular reduction of a 2n-digit numt>er to an n-digit number, it is of less 
importance whetiier the n-digit remainder found is also tiie true remainder or whether it yet again contains 
more than the modulus. In the first example given above, it is clear ttiat (r)io < (p)io, so that an explanation 
of the steps according to tiie blocks 10 - 12 in ttie flow diagram is of little interest for this example. 
However, by adding the value of a to the n-digit remainder found and determining whetiier the length of the 

55 auxiliary remainder (r*)io tfiereby calculated is greater than n. the tme remainder can always be determined, 
as will fc»e illustrated by reference to the following example. 

In ttie second example, the remainder of 19987 is sought According to the first step of the algorithm, 
the following calculation is carried out: 
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()CH)io*a + (xOio = 0001 X 0009 + 9987 = 9996. 

The carry is now equal to zero and the remainder (r)io is therefore known in principle, but rt is not loiown. 
5 however, if this is the true remainder. For this reason, the folbwing calculation is furthermore first carried 
out 

(Oio = (r)io + a = 9998 + 0009 = 10005. 

10 The value of (r')io is found to be greater than n and the true remainder (r)to is therefore determined by 
taking the last 4 digits of (r')io, so that (1)10 is found to be = 0005. 

The modular reduction described above is of importance in order to be able to carry out cryptographic 
methods effidentty and rapidly, with use toeing made of exponentiation modulo large prime number such as 
the DH system described above. A number of other types of these cryptographs methods will be tiriefly 

;5 discussed below. 

A secret m can be exchanged by the so-calted Three-Pass protocol with the aid of discrete 
exponentiation modujo known prime numt)er p. possibly made public. This is done in the folbwing way: As 
in the DH system, the users a and b both choose a secret arbitrary number x, Xa and Xb respectively, but 
they now both calculate a secret x~^ which satisfies the relationship: 

20 

x*x~' a 1 (mod p - 1). 

If user a wishes to send the secret message m to user b, he calculates 
25 y s m^ (mod p) 

and sends it to b. User b now calculates: 
Z = y^am^^(mod p) 
and sends it back to a. User a now calculates: 



30 



35 



40 



and sends rt back to b. From this, user b can cabulate the secret message via: 

(m^)^"^ = m^"^"^ s m (mod p) • 

A third cryptographic system is known under the name of the Pohlig-Hellman (PH) system. arKl here again, 
use is made of a prime number p for which it holds true that p - 1 has at least one large prime factor. In the 
PH system, the users a and b choose secret numbers Xa and Xb so that it holds true that 

45 XaXfeSl (modp- 1). 

A secret message m can now therefore be exchanged between a and b with the aid of the following two 
functions: 

The encoding function Ea for a and the decoding function Db for b is given by: 

50 

Ea(y) = E>b(y) = y^{mod p). 

The decoding function Da for a and the encoding function Eb for b is given by: 
55 Da(y) = Eb(y) a y^ (mod p). 
Claims 
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1. method for the modular reduction of a not more than 2n-digit number x to obtain a not more than n- 
digit remainder r in accordance with the fonmula r^x (mod p), where p is the chosen modulus, for the 
purpose of cryptographic calculations which are based on the general discrete logarithm problem in a 
number system with base b, characterised in that p is a n-digit number for which It holds true that p = 
b" - a, where 0 < a < b. 

2. Method according to claim 1, characterized in that the 2n-digit numtjer is always split into two n-digit 
numl)ers xh and xl in accordance with the formula x = (xH'b'*) + xu 

where 

n-1 n-1 
V r ^i+n'^^ and = 2 x^'h^, where 0 < x., x^^^ < b 

in that the remainder r is determined by first calculating: 
rtemp = Xl + a*XH; 

in that it is then detennined whether the following is fulfilled: 
rtemp < b"; 

in that, if this is the case. It holds true that 

r — Uesnpp 

in that, if this Is not the case, an integer c is calculated which is determined by the value of r,efnp^" 
rounded downwards to the nearest integer and rtfi„,p is calculated in accordance with: 

rtemp — rtemp " C*b" 

and in that this step is repeated until tfie following is fulfilled: 
rtemp <b^ 

whereafter it holds true that 
r = riem^ 

3b Method according to claim 2, characterised in that r* = r + a Is calculated, after which the true 
remainder is equal to the last n digits of r' if r* > b" and is equal to r if r* < b". 
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